search

hashicorp / packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
http://www.packer.io
Other
15.05k stars 3.32k forks source link

Re-arrange credential documentation and add warnings to Static Credentials #10827

Open grove-mountain opened 3 years ago

grove-mountain commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request. If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

Change the ordering of the credential documentation to have Static Credentials listed last and add warnings about checking credentials into public VCS. There is a massive amount of cloud credential leakage caused by people accidentally checking their cloud credentials into public VCS repos. Our documentation lists Static Credentials as the first option and does not warn folks that checking in admin credentials is a sure-fire way of mining some form of crypto-currency within minutes, often at great cost to an organization.

We should order our cloud credential configurations in list of most-to-lease secure as well as describe the benefits of using particular patterns. We should also clearly warn folks what can happen if they check credentials into public VCS repos.

SwampDragons commented 3 years ago

We could also add a warning from inside the Packer prepare that points out to users "hey this isn't secure"

tenthirtyam commented 3 months ago

I realize that this issue is rather dated, but I wanted to suggest that this issue is no longer relevent to this portion of the project after the plugin split, but rather with each plugin to drive to this as a standard.

Once suggestion is to transfer this issue to hashicorp/packer-plugin-scaffolding so that an update with the recommended structure can be added to the docs/README.md template and then encourage integration listings to encourage the practice.

cc @nywilken @lbajolet-hashicorp

lbajolet-hashicorp commented 3 months ago

Thanks for the update @tenthirtyam,

Updating the scaffolding is a starting point indeed, I think we should probably also have some reference elsewhere that documents that. Our plugin developer documentation is severly lacking at this point, and that's something we're planning to improve in the not too distant future. It'll be good to keep that topic in mind when doing that work.